CENTRAL BANK CONSULTS ON GUIDANCE FOR OUTSOURCING - Citi.com
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Securities Services
CENTRAL BANK CONSULTS ON GUIDANCE
FOR OUTSOURCING
On 25 February 2021 the Central Bank of Ireland (Central Bank) published Consultation
Paper 138 on Cross-industry Guidance on Outsourcing (CP138/Guidance).1 It follows on
from the publication of the paper ‘Outsourcing – Findings and Issues for Discussion’2 in
November 2018 and the hosting of an industry Outsourcing Conference in April 2019.
The proposed Guidance sets out the Central Bank’s expectations regarding the
governance and management of outsourcing risk.
In this e-briefing we take a look at CP138.
Background increasingly being adopted as a key strategic tool to enable
In CP138 the Central Bank states that the nature of the financial service providers regulated by the Central Bank to
financial services landscape is continually evolving. This respond to and manage these changes.
change is influenced by many factors including customer/
The Central Bank recognises the increasing reliance of many
client preferences, regulatory developments, the increased
regulated firms on outsourced service providers (OSPs). This
pace of technological innovation in the delivery of services,
includes the use of both intragroup entities and third party
and changes in business models driven by cost, profitability
OSPs, both regulated and unregulated, for the provision of
and the need for increased flexibility and agility.
activities and services considered central to the successful
Outsourcing is at the heart of much of this change and is delivery of regulated firms’ strategic objectives.
Central Bank Consults On Guidance For Outsourcing 2
Furthermore, given the continually changing landscape for indicate a need for firms to strengthen some fundamental
the provision of financial services and the adaptation of aspects of their outsourcing strategies, including contractual
regulated firms in responding to this change, the Central arrangements, monitoring of operations and recovery and exit
Bank anticipates that new structures and service delivery strategies. The Central Bank’s proposed Guidance provides
models will evolve into the future. comprehensive coverage on each of these critical topics.
While the Central Bank acknowledges that outsourcing presents Purpose and Scope
significant and wide ranging benefits to regulated firms, it The Central Bank’s programme of supervision seeks to
also poses risks if not effectively managed. Consequently, confirm that regulated firms have effective governance, risk
when developing new models to deliver critical and important management and business continuity processes in place in
services, regulated firms must have regard to all outsourcing relation to outsourcing, to mitigate potential risks of financial
arrangements in place and should apply the proposed Guidance3 instability and consumer detriment.
to these arrangements.
The proposed Guidance is designed to assist regulated firms
The Central Bank states that the experiences of offshoring for in developing their outsourcing risk management frameworks
regulated firms during Covid-19 have, in some cases, revealed so as to effectively identify, monitor and manage their
weaknesses from an operational resilience perspective, which outsourcing risks.
Furthermore, the purpose of the proposed Guidance is to:
Communicate the Central Bank’s Remind boards and senior management Promote the adoption of standards
expectations with respect to the of regulated firms of their and good practice such that the
management of outsourcing risk responsibilities, including statutory boards and senior management
to the boards and senior management obligation, when considering and of regulated firms take appropriate
of regulated firms; utilising outsourcing, in any form, action to ensure that their
as part of their business model; and outsourcing frameworks are well
designed, operating effectively and
are sufficiently robust to oversee
and manage the associated risks.
Central Bank Consults On Guidance For Outsourcing 3
The proposed Guidance reminds regulated firms of their of outsourcing registers (see Part B Sections 10.1. and 10.2 of the
statutory obligations with regard to compliance with existing Guidance).
(as at the date of publication of CP138) and future legislation,
The proposed Guidance also clarifies the Central Bank’s position
regulations and guidelines relevant to their sector, in respect
in relation to key issues raised by respondents to the Central
of the management of outsourcing risk – see Appendix 1 of the
Bank’s discussion paper, most notably:
draft Guidance.
• Application and Proportionality – see Part A - Section 4 of
The proposed Guidance details the Central Bank’s adoption
the Guidance, which sets out the Central Bank’s view that the
of the European Banking Authority (EBA) Guidelines on
Guidance generally applies to all regulated firms, albeit the
Outsourcing Arrangements and the European Insurance
manner in which it may be adopted may differ based on the
and Occupational Pensions Authority (EIOPA) and European
nature, scale and complexity of the regulated firm’s business
Securities and Markets Authority (ESMA) Guidelines for
and the extent to which they rely on outsourcing of critical or
Outsourcing to Cloud Service Providers, for regulated firms
important functions as part of their business model.
that are within the scope of those guidelines and includes the
Central Bank’s expectation that such firms make every effort • Identification of critical or important arrangements – see
to comply with the guidelines. Part B Section 1 of the Guidance.
While the EBA, EIOPA and ESMA Guidelines (ESAs Guidelines) • Applicability to Intragroup Arrangements – see Part B
apply to certain sectors only, the requirements set out Section 2 of the Guidance.
therein, and in other draft guidelines currently the subject of
• The relevance of the Guidance to delegation arrangements
consultation, align with the Central Bank’s own supervisory
– see Part B Section 3 of the Guidance.
expectations in relation to the governance and management
of outsourcing risk. Where existing relevant sectoral legislation, regulations or
guidance is less prescriptive or is silent on certain matters, it is
Therefore the Central Bank proposes that its Guidance will
the Central Bank’s expectation that regulated firms refer to the
apply to all regulated firms. To ensure the manner in which the
supervisory expectations set out in the proposed Guidance.
Guidance is adopted is based on the nature, scale and complexity
of the regulated firm’s business, and the extent to which they The Guidance does not purport to address, in detail, every
rely on outsourcing of critical or important functions as part of aspect of firms’ legal and regulatory obligations as they
their business model, the Central Bank has included proposals pertain to outsourcing.
for the proportionate application of the Guidance. It should be read in conjunction with the relevant statutory
The proposed Guidance sets out the Central Bank’s expectations requirements including legislation, regulations as well as
where certain provisions of the ESA Guidelines allow for guidance and standards issued by the ESAs and further
National Competent Authority discretion e.g. notification of guidelines/guidance or bulletins issued by the Central Bank
outsourcing arrangements and the maintenance and submission in force at the point in time.
Central Bank Consults On Guidance For Outsourcing 4
Format of the Cross-Industry Guidance on Outsourcing Part B Section 6 – Due Diligence
The Cross-Industry Guidance on Outsourcing, whose link to Sets out the Central Bank’s expectation that regulated firms
the proposed Guidance is included at Schedule 1 of CP138, is undertake appropriate due diligence in respect of their OSPs
structured as follows: prior to entering into an outsourcing arrangement and at
appropriate intervals during the lifecycle of the arrangement.
Part A - Section 1 – Introduction
Sets out the background to the proposed guidance and Part B Section 7 – Contractual Arrangements & Service
its purpose and scope. It also sets out the Central Bank’s Level Agreements (SLAs)
intentions for the adoption of the Guidance in a manner Sets out the key contractual provisions that should be
that is proportionate to the nature, scale and complexity of incorporated into written outsourcing agreements (which
a regulated firm’s business. Finally, this section sets out the should preferably be legally binding contracts), including
status of the Guidance in the context of existing sectoral provisions regarding access, audit and information rights and
legislation, regulations and guidelines. the arrangements for exit from and/or termination of the
arrangement. It also highlights that such agreements should be
Part B Section 1 – Assessment of criticality or importance
supported by SLAs.
of activity/service to be outsourced
In keeping with the principle of proportionality, it is intended Part B Section 8 – Ongoing Monitoring and Challenge
that the proposed Guidance be predominantly applied in Highlights the importance of regular, comprehensive monitoring
respect of outsourcing of activities, services or functions that of the delivery of the service or function that has been
are deemed to be critical or important to a firm’s business outsourced and the appropriateness of the framework governing
(albeit some aspects are identified as being applicable to all and supporting the arrangements.
outsourcing arrangements). This section sets out the factors
Part B Section 9 – Disaster Recovery and Business
that regulated firms should consider when determining if an
Continuity Management
outsourced function should be deemed critical or important.
Sets out the Central Bank’s expectations of regulated firms in
Part B Section 2 – Intragroup Arrangements the establishment and oversight of measures to ensure support
Clarifies the Central Bank’s view that the Guidance applies for the continuity of outsourced functions. It also sets out the
equally to intragroup outsourcing arrangements as it does to requirement to have in place appropriate strategies to exit
arrangements with third party OSPs. It is acknowledged that the outsourcing arrangements should the need arise.
manner in which the Guidance is applied may however differ for
Part B Section 10 - Provision of Outsourcing Information
intragroup arrangements.
to the Central Bank
Part B Section 3 – Outsourcing and Delegation Which addresses the Central Bank’s expectations with
Clarifies the Central Bank’s view that outsourcing and regard to the requirements for regulated firms to inform,
delegation are not different concepts. While the specificities of by way of notification, the Central Bank of any planned
requirements for delegation arrangements are addressed in critical or important outsourcing arrangement or changes
the relevant sectoral legislation, regulations and guidance, it is to existing critical or important outsourcing arrangements.
emphasised that the Cross-Industry Guidance on Outsourcing Such notifications should be made in a timely manner. It
herein, is directly relevant to these regulated firms. The should not be inferred from the expectations relating to
Guidance highlights certain aspects of outsourcing risk Notifications that the Central Bank is creating a pre-approval
management that should be of particular interest to these firms process, where such a pre-approval is not an existing legal
in strengthening their outsourcing/delegation frameworks. requirement.
Part B Section 4 – Governance The Guidance does not supersede existing sectoral
This section sets out the Central Bank’s expectations around legislation, regulations and guidance on outsourcing, but
the appropriate and effective governance of outsourcing. It rather supports and complements them by setting out
sets out details of the responsibilities of boards and senior aspects of good practice for the effective management of
management in this regard. It also highlights the Central outsourcing risk in all its forms.
Bank’s expectation that regulated firms consider their
strategy and risk appetite in relation to outsourcing and This section also sets out the requirements for regulated firms
details the elements, which should be incorporated in to establish and maintain a register (database) of all outsourcing
a regulated firm’s outsourcing policy. arrangements and the information (data elements) that such
registers should contain. It also sets out the Central Bank’s
Part B Section 5 – Outsourcing Risk Assessment and
proposals to establish an online regulatory return for submission
Management
by regulated firms of their outsourcing registers. It is proposed
Highlights the importance of conducting and maintaining
that submission of registers will be required from regulated firms
comprehensive outsourcing risks assessments and details
on a cyclical basis commencing in January 2022.
the issues which should be considered when assessing and
designing controls to manage and/or mitigate a number
of key outsourcing risks.
Central Bank Consults On Guidance For Outsourcing 5
Questions to answer The proposed Guidance is supplemental to existing sectoral
The Central Bank invites general feedback on the proposed legislation, regulations and guidance with which regulated
Guidance from interested stakeholders and in addition firms are already expected to comply. It is the Central Bank’s
requests that respondents consider the specific questions expectation that the boards and senior management of
under Section 8 of CP138. These are: regulated firms review the Guidance and adopt appropriate
measures to strengthen and improve their outsourcing
1. Are there are any aspects of the Guidance that are
frameworks and their effective management of outsourcing
unclear? If so, please advise what these are and provide
risk in line with this proposed Guidance. Regulated firms
suggestions on the additional clarity required.
must be able to demonstrate that they have considered the
2. What, if any, are the other areas/topics that should be supervisory expectations set out in the Guidance in this regard.
covered in the Guidance (specify sections) or in future
With regard to the Central Bank’s requirements in relation to
versions of the Guidance?
Notifications and the submission of Outsourcing Registers as
3. What, if any, are the significant issues /or concerns or detailed in Part B - Section 10.1 and 10.2 of the Guidance, it is
unintended consequences that might arise due to the proposed that:
provisions of the Guidance?
• For regulated firms who fall within scope of the EBA,
4. The Central Bank has considered existing sector specific EIOPA and ESMA Guidelines referenced above, the Central
legislation and guidance as they pertain to outsourcing Bank timelines for implementation of these aspects of the
and is of the view that this Guidance serves to provide Guidance will align with the timelines mandated by the
additional clarity on the Central Bank’s expectations and EBA, EIOPA and ESMA respectively; and
best practice when firms utilise outsourcing. Are there any
• For all other regulated firms, the timeline for implementation
particular aspects of the Guidance that appear to be at
of these requirements will be in accordance with existing
odds with existing sectoral requirements and could give
sectoral regulation or guidelines or as will be notified by
rise to confusion/ misinterpretation? If so please provide
way of an industry letter.
details on any aspects which you believe may cause
confusion and suggest how best to address such issues. CP138 will remain open for comment until 26 July 2021.
Next steps and implementation 1.
See https://www.centralbank.ie/publication/consultation-papers.
The Central Bank proposes to publish the Guidance in 2021 2.
See https://www.centralbank.ie/publication/discussion-papers.
following the conclusion of the consultation period and 3.
Note that the Draft Cross-industry Guidance on Outsourcing listed in Schedule 1
of CP138 is contained in a separate document. See https://www.centralbank.ie/
consideration of submissions received from respondents. docs/default-source/publications/consultation-papers/cp138/draft-cross-industry-
guidance-on-outsourcing.pdf.
Contains Irish Public Sector Information licensed under a Creative Commons
Attribution 4.0 International (CC BY 4.0) licence.Central Bank Consults On Guidance For Outsourcing 6 Please contact for further details: David Morrison Ann-Marie Roddie Global Head of Trustee and Fiduciary Services Head of Product Development Fiduciary Services david.m.morrison@citi.com annmarie.roddie@citi.com +44 (0) 20 7500 8021 +44 (1534) 60-8201 Amanda Hale Caroline Chan Head of Regulatory Services APAC Head of Fiduciary Business amanda.jayne.hale@citi.com caroline.mary.chan@citi.com +44 (0)20 7508 0178 +852 5181 2602 Shane Baily Jan-Olov Nord EMEA Head of Trustee and Fiduciary Services EMEA Head of Fiduciary Services UK, Ireland and Luxembourg Netherlands and Sweden shane.baily@citi.com janolov.nord@citi.com +353 (1) 622 6297 +31 20 651 4313 www.citibank.com/mss The market, service, or other information is provided in this communication solely for your information and “AS IS” and “AS AVAILABLE”, without any representation or warranty as to accuracy, adequacy, completeness, timeliness or fitness for particular purpose. The user bears full responsibility for all use of such information. Citi may provide updates as further information becomes publicly available but will not be responsible for doing so. The terms, conditions and descriptions that appear are subject to change; provided, however, Citi has no responsibility for updating or correcting any information provided in this communication. No member of the Citi organization shall have any liability to any person receiving this communication for the quality, accuracy, timeliness or availability of any information contained in this communication or for any person’s use of or reliance on any of the information, including any loss to such person. This communication is not intended to constitute legal, regulatory, tax, investment, accounting, financial or other advice by any member of the Citi organization. This communication should not be used or relied upon by any person for the purpose of making any legal, regulatory, tax, investment, accounting, financial or other decision or to provide advice on such matters to any other person. Recipients of this communication should obtain guidance and/or advice, based on their own particular circumstances, from their own legal, tax or other appropriate advisor. Not all products and services that may be described in this communication are available in all geographic areas or to all persons. Your eligibility for particular products and services is subject to final determination by Citigroup and/or its affiliates. The entitled recipient of this communication may make the provided information available to its employees or employees of its affiliates for internal use only but may not reproduce, modify, disclose, or distribute such information to any third parties (including any customers, prospective customers or vendors) or commercially exploit it without Citi’s express written consent. Unauthorized use of the provided information or misuse of any information is strictly prohibited. Among Citi’s affiliates, (i) Citibank, N.A., London Branch, is regulated by Office of the Comptroller of the Currency (USA), authorised by the Prudential Regulation Authority and subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority (together, the “UK Regulator”) and has its registered office at Citigroup Centre, Canada Square, London E14 5LB and (ii) Citibank Europe plc, is regulated by the Central Bank of Ireland, the European Central Bank and has its registered office at 1 North Wall Quay, Dublin 1, Ireland. This communication is directed at persons (i) who have been or can be classified by Citi as eligible counterparties or professional clients in line with the rules of the UK Regulator, (ii) who have professional experience in matters relating to investments falling within Article 19(1) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 and (iii) other persons to whom it may otherwise lawfully be communicated. No other person should act on the contents or access the products or transactions discussed in this communication. In particular, this communication is not intended for retail clients and Citi will not make such products or transactions available to retail clients. The information provided in this communication may relate to matters that are (i) not regulated by the UK Regulator and/or (ii) not subject to the protections of the United Kingdom’s Financial Services and Markets Act 2000 and/or the United Kingdom’s Financial Services Compensation Scheme. © 2021 Citibank, N.A. (organized under the laws of USA with limited liability) and/or each applicable affiliate. All rights reserved by Citibank, N.A. and/or each applicable affiliate. Citi, Citi and Arc Design and other marks used herein are service marks of Citigroup Inc., used and registered throughout the world. GRA33463 04/21
You can also read
